Security News > 2022 > April > New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops

New Lenovo UEFI Firmware Vulnerabilities Affect Millions of Laptops
2022-04-19 19:31

Three high-impact Unified Extensible Firmware Interface security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices.

Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "Affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár said in a report published today.

CVE-2021-3970 - A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3971 - A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.

CVE-2021-3972 - A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

The weaknesses, which impact Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops, add to the disclosure of as many as 50 firmware vulnerabilities in Insyde Software's InsydeH2O, HP UEFI, and Dell since the start of the year.


News URL

https://thehackernews.com/2022/04/new-lenovo-uefi-firmware.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-04-22 CVE-2021-3972 Unspecified vulnerability in Lenovo products
A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
local
low complexity
lenovo
6.7
2022-04-22 CVE-2021-3971 Unspecified vulnerability in Lenovo products
A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
local
low complexity
lenovo
6.7
2022-04-22 CVE-2021-3970 Improper Input Validation vulnerability in Lenovo products
A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models BIOS may allow an attacker with local access and elevated privileges to execute arbitrary code.
local
low complexity
lenovo CWE-20
6.7

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Lenovo 2278 4 176 156 16 352